b'DOE/IG-0507\n\n\n\n\n         SPECIAL                   THE DEPARTMENT OF ENERGY\'S\n                                      IMPLEMENTATION OF THE\n         REPORT                     CLINGER-COHEN ACT OF 1996\n\n\n\n\n                                                JUNE 2001\n\n\n\n\n      U.S. DEPARTMENT OF ENERGY\n     OFFICE OF INSPECTOR GENERAL\n       OFFICE OF AUDIT SERVICES\n\x0c                        U.S. DEPARTMENT OF ENERGY\n                             Washington, DC 20585\n\n                                   June 20, 2001\n\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                     Gregory H. Friedman (Signed)\n                          Inspector General\n\nSUBJECT:                  INFORMATION: Special Report on "Department of Energy\'s\n                          Implementation of the Clinger-Cohen Act of 1996"\n\nBACKGROUND\n\nIn 1996, Congress passed the Clinger-Cohen Act (Act) to enhance the management and\ncontrol of information technology. The Act requires Federal Agencies to appoint a Chief\nInformation Officer and to employ a performance-and-results-based approach to\nmanaging information technology investments. Congress also has placed significant\nemphasis on improving efficiencies by better leveraging information technology\ninvestments across the Government. The effective use of such resources holds the\npromise of significant advances in efficiency and reduced cost of operations. In Fiscal\nYear 2001, the Department estimated that it would expend about $1.4 billion for\ninformation technology investments, a significant portion of which supports advanced\nand scientific supercomputing initiatives. Under these circumstances, it is essential that\nthe Department develop and implement an effective information technology\nmanagement, investment and control process.\n\nAs pointed out in our Special Report on Management Challenges at the Department\nof Energy (DOE/OIG-0491, November 2000), information technology management\nis one of the most serious challenges facing the Department. This report outlined\nrecently reported information technology management problems that will require\nsignificant, focused effort to correct. The Office of Management and Budget\nrecognized that widespread problems exist in this highly visible area and has\nestablished the requirement to improve capital planning and investment controls as\na government-wide priority management objective for Fiscal Year 2001.\n\nThe purpose of this report is to highlight problems that have been identified and reported\nover time with the Department\'s implementation of Clinger-Cohen requirements. The\nreport is based on a recap of major information technology related audit reports and a\nreview of the Department\'s implementation initiatives.\n\nOBSERVATIONS\n\nWhile the Department has taken action to address certain information technology related\nmanagement problems, it has not been completely successful in implementing the\nrequirements of the Clinger-Cohen Act. Since the Act was passed, the Office of\n\x0c                                             2\n\n\nInspector General has issued 13 information technology related reports that identified\nproblems associated with meeting requirements of the Act. Cumulatively,\nthese reports demonstrate systemic problems with the Department\'s approach to\ninformation technology management and its method of addressing requirements of the\nAct. Specifically, the Department has not satisfied major requirements of the Act to:\n\n       \xe2\x80\xa2   Develop and implement an integrated, enterprise-wide, information\n           technology architecture;\n       \xe2\x80\xa2   Closely monitor policy implementation efforts; and,\n       \xe2\x80\xa2   Acquire information technology related assets in an effective and efficient\n           manner.\n\nFactors such as a decentralized approach to information technology management, the\norganizational placement of the Chief Information Officer, and the lack of an information\ntechnology baseline may have contributed to these problems and impacted the\nDepartment\'s ability to satisfy Clinger-Cohen requirements. As pointed out in our\nreports, potential operational efficiencies and savings totaling more than $100 million\nwere possible through better implementation of Clinger-Cohen requirements.\n\nOPPORTUNITIES FOR IMPROVEMENT\n\nThe Department has initiated action on many of the recommendations contained in our\npast reports. In response to our reports and several management initiatives, the\nDepartment has taken a number of actions designed to improve the overall management\nof information technology resources. These actions include initiatives to improve\ncomputer security, to broaden the coverage of the information technology architecture, to\neliminate or reduce the development of duplicative systems, and a plan for modernizing\nDepartmental systems. While these actions have resulted in a number of improvements\nin information security and have great promise, opportunities for additional\nimprovements exist. Efforts to satisfy the myriad actions mandated by Clinger-Cohen are\nnot likely to be fully successful without organizational changes and improvements in the\ndesign and implementation of focused, information technology specific performance\nmeasures.\n\nMANAGEMENT REACTION\n\nOur report contains recommendations designed to improve Clinger-Cohen Act\nimplementation. While Management concurred with recommendations 3 & 4 and\nproposed certain corrective actions, it did not concur with our primary recommendations\n1 & 2 to realign the Office of the Chief Information Officer and provide the office with\ngreater authority. Management expressed the view that the current organizational\nplacement does not diminish the Department\'s ability to successfully implement the Act.\n\nIt is the position of the Office of Inspector General, however, that Clinger-Cohen is clear\nas to the required organizational alignment of the Chief Information Officer. This\nrequirement, and the overall authority and responsibility envisioned in the Act for the\n\x0c                                           3\n\n\nChief Information Officer, are essential elements in Clinger-Cohen\'s overarching\nobjective of bringing structure, sound information technology capital investment decision\nmaking, and an economic and efficient operating strategy to Federal agencies. While we\nrecognize that the Department of Energy may have some unique organizational\ncharacteristics which need to be addressed, we believe the Department\'s $1.4 billion\nannual information technology operations would benefit from a Chief Information\nOfficer structure which is consistent with the terms of the Act.\n\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary\n    Administrator, National Nuclear Security Administration\n\x0cTHE DEPARTMENT OF ENERGY\'S IMPLEMENTATION OF THE\nCLINGER-COHEN ACT OF 1996\n\nTABLE OF\nCONTENTS\n\n\n\n               Overview\n\n               Introduction and Objective ..........................................................1\n\n               Conclusions and Observations.................................................. 1\n\n\n               Clinger-Cohen Implementation Needs Improvement\n\n               Details of Finding.......................................................................3\n\n               Recommendations ..................................................................10\n\n\n               Appendix I\n\n               Scope and Methodology...........................................................13\n\n               Appendix II\n\n               Management Comments ..........................................................14\n\x0cOVERVIEW\n\nINTRODUCTION AND   The integration of Information Technology (IT) into all aspects of the\nOBJECTIVE          Department\'s management and administration of its various missions\n                   continues to increase. Congress has placed significant emphasis on\n                   improving efficiencies by better leveraging IT investments across the\n                   Government. The effective use of IT holds the promise of significant\n                   advances in efficiency and reduced cost of operations. In light of an\n                   estimated $1.4 billion annual expenditure for IT, it is essential that the\n                   Department develop and implement an effective IT management,\n                   investment and control process.\n\n                   To enhance the management and control of IT, Congress passed the\n                   Clinger-Cohen Act of 1996 (Clinger-Cohen) requiring Federal\n                   Agencies to appoint a Chief Information Officer (CIO) to manage IT\n                   investments and to adopt a performance-and-results-based management\n                   approach to acquiring, using, and disposing of IT. Clinger-Cohen calls\n                   for a capital investment process, performance measures, and the\n                   reengineering of business processes before developing or redesigning\n                   information systems. Clinger-Cohen specifically requires the CIO to\n                   develop and implement programs to ensure that IT related resources are\n                   acquired and utilized in an effective and efficient manner, that system\n                   performance is closely monitored, and that development and acquisition\n                   is based on an integrated, enterprise-wide architecture.\n\n                   The purpose of this report is to highlight problems that have been\n                   identified and reported over time with the Department\'s implementation\n                   of Clinger-Cohen requirements. The report is based on a recap of major\n                   IT related audit reports and a review of the Department\'s\n                   implementation initiatives.\n\n\nCONCLUSIONS AND    While the Department has taken action to address certain IT related\nOBSERVATIONS       management problems, it has not been completely successful in\n                   implementing the requirements of the Clinger-Cohen Act of 1996.\n                   Since the Act was passed, the Office of Inspector General (OIG) has\n                   issued 13 IT related reports that identified problems associated with\n                   meeting requirements of the Act. Cumulatively, these reports\n                   demonstrate systemic problems with the Department\'s approach to IT\n                   management and its method of addressing requirements of the Act.\n                   Specifically, the Department has not satisfied major requirements of the\n                   Act to develop and implement an integrated, enterprise-wide, IT\n                   architecture, closely monitor policy implementation efforts, and acquire\n                   IT related assets in an effective and efficient manner. Factors such as a\n                   decentralized approach to IT management, the organizational placement\n                   of the CIO, and the lack of an IT baseline may have contributed to these\n\nPage 1                                                        Introduction and Objective/\n                                                           Conclusions and Observations\n\x0c         problems and impacted the Department\'s ability to satisfy Clinger-\n         Cohen requirements. As pointed out in our reports, potential\n         operational efficiencies and savings totaling more than $100 million\n         were possible through better implementation of Clinger-Cohen\n         requirements.\n\n\n\n                                                      (Signed)\n                                              Office of Inspector General\n\n\n\n\nPage 2                                         Conclusions and Observations\n\x0cCLINGER-COHEN IMPLEMENTATION NEEDS IMPROVEMENT\n\nImplementation Efforts   Despite several management initiatives, the Department\'s\nHave Not Achieved        implementation of the Clinger-Cohen Act of 1996 had not achieved\nExpected Results         expected results. Since passage of the Act, the OIG has issued 13 IT\n                         related reports that identified problems associated with meeting\n                         requirements of the Act. Cumulatively, our reports demonstrate\n                         systemic problems with the Department\'s approach to IT management\n                         and its method of addressing requirements of the Act. Specifically, the\n                         Department had not fully developed and implemented an integrated,\n                         enterprise-wide IT architecture, closely monitored policy\n                         implementation efforts, and acquired or developed IT related assets in\n                         an effective and efficient manner.\n\n                                   Implementation of an Enterprise-wide Architecture\n\n                         Despite many years of effort and significant expenditures, the\n                         Department has yet to deploy an integrated, enterprise-wide IT\n                         architecture. Analysis of the following reports demonstrates the\n                         Department\'s lack of progress in this important area.\n\n                            \xe2\x80\xa2   In August 1998, our Review of the U.S. Department of Energy\'s\n                                Information Management Systems (DOE/IG-0423), disclosed\n                                that the Department had made limited progress toward\n                                developing and implementing an integrated, enterprise-wide IT\n                                architecture. The CIO lacked the authority and resources\n                                necessary to ensure development of information architectures at\n                                the program office level which form the building blocks of a\n                                Departmental architecture.\n\n                            \xe2\x80\xa2   In September 2000, our audit of Corporate and Stand-Alone\n                                Information Systems Development (DOE/IG-0485), reported that\n                                the Department\'s effort to develop and implement an integrated,\n                                enterprise-wide information architecture was largely ineffective.\n                                Despite a projected cost of about $220 million, the architecture\n                                was to address only about 10 percent of the annual $1.4 billion\n                                IT investment.\n\n                          Close Monitoring and Management of All IT Resources and Programs\n\n                         The Department did not closely monitor Clinger-Cohen implementation\n                         initiatives. The lack of implementation monitoring and oversight is\n                         manifested by problems in information systems security, cyber related\n                         infrastructure protection, and systems development. The following\n                         reports demonstrate the extent and effect of the problems.\n\n\n\nPage 3                                                                       Details of Finding\n\x0c         \xe2\x80\xa2   In February 2000, our report on Unclassified Computer Network\n             Security at Selected Field Sites (DOE/IG-0459), showed that the\n             Department had not closely monitored or managed unclassified\n             computer network security. While each of the six major sites\n             audited had developed and implemented certain policies,\n             procedures, and physical controls to protect computer systems, a\n             comprehensive Department-level network security program was\n             not in place. We also noted that specific performance measures\n             and objectives related to information security had not been\n             established by the Department.\n\n         \xe2\x80\xa2   In April 2000, our audit report on the Implementation of\n             Integrated Business Information Systems Within the Department\n             of Energy (DOE/IG-0466), showed that some Departmental\n             contractors were unsuccessful at implementing integrated\n             business systems because they did not follow established\n             Federal and Departmental guidelines. While the Office of the\n             CIO was aware of these development efforts, it was not charged\n             with the responsibility and did not proactively monitor them for\n             cost, schedule, or viability issues. As a result, the Department\n             received no appreciable benefit from the $15.1 million spent on\n             unsuccessful implementations.\n\n         \xe2\x80\xa2   In September 2000, our report on the audit of Corporate and\n             Stand-Alone Information Systems Development (DOE/IG-0485),\n             showed that the Department had not closely monitored or\n             managed many of the Department\'s IT programs. The\n             Department has delegated development or procurement\n             authority for systems costing $50 million or less to field sites\n             and thereby excluded virtually all systems from the review or\n             concurrence process and from any direct Federal involvement.\n             Consistent with the delegation approach, the Department did not\n             closely monitor development efforts, maintain a systems\n             inventory, or track development costs.\n\n         \xe2\x80\xa2   In September 2000, we reported that the Department had not\n             adequately managed the Implementation of Presidential\n             Decision Directive 63, Critical Infrastructure Protection (DOE/\n             IG-0483). Specifically, we observed that the Department had\n             not implemented its critical infrastructure protection plan to\n             mitigate cyber-related vulnerabilities, or assure the continuity\n             and viability of its cyber-related critical infrastructure. The\n             Department\'s lack of progress in this area increased the risk of\n             malicious damage to its cyber-related critical infrastructure and\n             could adversely impact its ability to protect assets and deliver\n             essential services.\nPage 4                                                    Details of Finding\n\x0c            \xe2\x80\xa2   In February 2001, our report on Internet Privacy (DOE/IG-\n                0493), disclosed that the Department had not monitored or\n                controlled the development of internet sites across the complex.\n                Specifically, the Department had not provided clear and current\n                guidance for implementing Federal privacy requirements, and\n                did not provide consistent oversight of web site development\n                and operation.\n\n             \xe2\x80\xa2 In February 2001, the Audit of the Department\'s Consolidated\n               Financial Statements (DOE/IG-FS-01-01), disclosed that\n               weaknesses regarding the establishment and maintenance of\n               security over unclassified information systems, including\n               financial systems, continued to exist. Specifically, the report\n               identified sites with problems involving network security\n               weaknesses. These weaknesses and vulnerabilities increased\n               the risk that malicious destruction or alteration of data or the\n               processing of unauthorized financial transactions could occur\n               and not be detected in a timely manner.\n\n                 Acquisition and Development of Information Systems\n\n         As demonstrated by our previous audits, the Department did not always\n         acquire, develop or use IT resources effectively and efficiently. These\n         problems span a number of years and have been observed at virtually\n         all Departmental levels. Because of its decentralized approach to IT\n         management, the Department has been unable to constrain duplicative\n         information systems development and effectively deploy corporate-\n         level systems. The following reports demonstrate the costly effect of\n         unconstrained acquisition and development.\n\n            \xe2\x80\xa2   In April 1997, our report on the Audit of the Management of the\n                Department of Energy\'s Leased Administrative Facilities (DOE/\n                IG-0402), showed that although the Department spent $1.8\n                million on a corporate database to track Departmental leased\n                space, the Facilities Information Management System, none of\n                the sites audited were using it. Furthermore, our follow-on\n                report, the audit of the Facilities Information Management\n                System (DOE/IG-0468), issued in April 2000, concluded that\n                after more than 4 years of implementation as many as 20\n                Departmental sites used existing in-house systems and not the\n                corporate Facilities Information Management System.\n\n\n\n\nPage 5                                                       Details of Finding\n\x0c         \xe2\x80\xa2   In August 1997, our report on the Audit of Controls over the\n             ADP Support Services Contract (CR-B-97-04), pointed out that\n             Headquarters program offices did not effectively manage the\n             Automated Data Processing (ADP) support services contacts by\n             fully evaluating and controlling costs for task assignments. The\n             report indicated that, by better controlling the costs of task\n             assignments through the use of standard industry benchmarks,\n             the Department could reduce the cost of ADP support services\n             by $2 million annually.\n\n         \xe2\x80\xa2   In January 1999, our audit report on the U.S. Department of\n             Energy\'s Procurement and Assistance Data System (DOE/IG-\n             0436), indicated that the system did not meet users\' needs or\n             comply with current generally accepted systems development\n             practices. Although the procurement and assistance data system\n             was designed to be the Department\'s corporate system, 73 other\n             systems within the Department were used to prepare, execute,\n             and monitor contracts, purchase orders, grants, and other\n             awards.\n\n         \xe2\x80\xa2   In March 2000, we reported in the audit of the Department\'s\n             Commercial-off-the-Shelf Software Acquisition Framework\n             (DOE/IG-0463), that the Department had not developed and\n             implemented software standards or effectively used enterprise-\n             wide contracts, key components of commercial-off-the-shelf\n             software acquisition framework. The Department could have\n             saved about $38 million over five years had it negotiated an\n             enterprise-wide software contract for just one of its major\n             desktop software suites.\n\n         \xe2\x80\xa2   In September 2000, our report on the audit of Corporate and\n             Stand-Alone Information System Development (DOE/IG-0485),\n             demonstrated that duplicative and/or redundant information\n             systems exist or were under development at virtually all\n             organizational levels within the Department. Despite efforts to\n             implement several corporate level applications, many\n             organizations continued to invest in custom or site-specific\n             development efforts that duplicate corporate functionality. The\n             lack of a fully developed and implemented application software\n             investment strategy resulted in the Department spending at least\n             $38 million on duplicative information systems.\n\n\n\n\nPage 6                                                    Details of Finding\n\x0c                       \xe2\x80\xa2   In February 2001, we reported in the audit of The U.S.\n                           Department of Energy\'s Corporate Human Resource\n                           Information System (DOE/IG-0494), that the Department had\n                           not adequately managed the acquisition and development of its\n                           Departmentwide human resource system. Specifically, the\n                           Department did not adhere to project planning and best\n                           practices for system development projects. As a consequence,\n                           full implementation was delayed six years, the cost of the\n                           system was 155 percent greater than originally estimated, and\n                           the estimated savings of approximately $9.6 million associated\n                           with implementing the system will not be achieved.\n\n\nClinger-Cohen Act   The Clinger-Cohen Act of 1996 required executive agencies to\nof 1996             establish the position of CIO with the intent of improving the\n                    management of IT throughout the Federal government. The major\n                    expectations set forth in Clinger-Cohen include the efficient and\n                    effective acquisition and use of all IT resources, the close monitoring of\n                    the performance of all IT programs, and the establishment of an\n                    integrated, enterprise-wide IT architecture to guide an agency\'s IT\n                    investments. Clinger-Cohen envisioned that the agency CIO would be\n                    held accountable for implementing and managing programs that would\n                    help achieve these expectations, thereby enhancing IT management and\n                    control. Clearly, the intent of Clinger-Cohen was to have the CIO\n                    actively involved in the management of all Departmental IT programs.\n\n\nFactors Affecting   The Department\'s organizational approach to IT management has\nImplementation      impacted its ability to effectively implement Clinger-Cohen\n                    requirements. The Department\'s decentralized approach to IT\n                    management and oversight and the organizational placement of the CIO\n                    may have contributed to problems summarized in this report.\n                    Additionally, the lack of a baseline or benchmark that provides the\n                    Department with a comprehensive view of its IT position has also\n                    hindered satisfaction of Clinger-Cohen requirements.\n\n                                   Decentralized Management and Oversight\n\n                    The Department\'s decentralized approach to IT management and\n                    oversight does not provide the CIO with the tools necessary to closely\n                    monitor Clinger-Cohen implementation initiatives. Except for certain\n                    corporate-level information systems, IT policy implementation and\n                    monitoring responsibility is vested in the Lead Program Secretarial\n                    Officers. While it is clear that program officials should be directly\n\n\nPage 7                                                                   Details of Finding\n\x0c         responsible for policy implementation, the Act requires that the\n         Department establish a mechanism that will permit the CIO to "closely\n         monitor" implementation activities. As presently structured, the CIO\n         lacks the oversight authority necessary to ensure that policy\n         implementation is consistent across the complex and is designed to\n         satisfy corporate objectives. Review and approval authority for\n         virtually all systems development activity is delegated to operating units\n         and the CIO performs only limited reviews of Clinger-Cohen\n         implementation activities. As a consequence, various program elements\n         and sites developed IT implementation approaches that were\n         inconsistent, overly costly, and often less than completely effective.\n\n                                Organizational Placement\n\n         Changes in the organizational placement of the CIO and the creation of\n         CIO positions within each of the Lead Program Secretarial Offices may\n         have also diminished the Department\'s ability to satisfy Clinger-Cohen\n         requirements. These changes resulted in the Department\'s realignment\n         of the CIO\'s organization, placing it under the operational control of the\n         Office of Security and Emergency Operations. Such action, while well-\n         intentioned in the wake of numerous computer security incidents, may\n         have decreased the CIO\'s ability to monitor IT investment activity. As\n         pointed out by the U.S. General Accounting Office (GAO) in its\n         publication on Maximizing the Success of Chief Information Officers,\n         (GAO-01-376G, February 2001) such practices do not position the CIO\n         for success and are based on an ineffective and outdated management\n         model. GAO also emphasizes Clinger-Cohen requirements that CIOs\n         occupy executive-level positions, report directly to the agency head, and\n         have primary responsibility for information management. It is unclear\n         what effect the appointment of CIOs at the program level will have on\n         implementation, but this action may serve to further detract from the\n         ability of the Department\'s CIO to satisfy Clinger-Cohen requirements.\n\n                            Information Technology Baseline\n\n         Another factor hindering the ability of the Department to effectively\n         manage its IT program was the lack of complete knowledge regarding\n         its IT program. Although the General Accounting Office pointed out a\n         need for an applications and major systems inventory in its 1996 report\n         Information Management: Energy Lacks Data to Support Its\n         Information System Streamlining Effort (GAO/AIMD-96-70, July 1996)\n         the Department has yet to implement the recommendation. Currently,\n         the Department does not have an information baseline, an inventory of\n         applications and major systems in use or under development within the\n\n\nPage 8                                                         Details of Finding\n\x0c                    Department. Application inventories are simple tools that can greatly\n                    facilitate the process of IT governance. They are an essential part of the\n                    first governance component, defining the overall infrastructure, a\n                    requirement of the Clinger-Cohen Act, and should help avoid duplicative\n                    development efforts. When performed across the entire organization, the\n                    opportunities for sharing of data, cost savings and operational\n                    streamlining increase exponentially.\n\n\nOpportunities for   While the Department has taken action on many of the recommendations\nImprovement         contained in our past reports, opportunities for improvement exist.\n                    Based on our reports and several management initiatives, the Department\n                    has taken a number of actions designed to improve the overall\n                    management of IT resources. These actions include a number of\n                    initiatives to improve computer security, to broaden the coverage of the\n                    IT architecture, to eliminate or reduce the development of duplicative\n                    systems, and a plan for modernizing Departmental systems. While these\n                    actions have great promise, they may not be fully successful unless the\n                    Department\'s CIO is given the authority to ensure that they are fully and\n                    consistently implemented.\n\n                    In addition to the changes in the organizational alignment, improvements\n                    in developing and implementing focused, Clinger-Cohen specific\n                    performance measures are essential for success in this challenging area.\n                    As noted in many of the audits detailed in this special report, the\n                    Department had not developed and implemented specific performance\n                    measures to focus its Clinger-Cohen related implementation activities.\n                    Such measures, required by the Government Performance and Results\n                    Act (GPRA) of 1993, should address specific implementation goals and\n                    must be outcome oriented. Improvements or refinements of existing\n                    performance measures should provide the Department with an objective\n                    means of measuring performance and effectiveness of the CIO and\n                    responsible program officials in implementing Clinger-Cohen initiatives.\n\n                    Without change, the Department is also not likely to be successful in\n                    implementing the requirements of the recently enacted Government\n                    Information Security Reform Act (GISRA) of 2001. GISRA\n                    reemphasizes Clinger-Cohen responsibilities and requires the Head of\n                    each Agency to delegate the authority to develop and implement a\n                    Departmentwide information security program to the CIO. Among other\n                    things, the GISRA specifically requires that the CIO ensure that "\xe2\x80\xa6the\n                    agency effectively implements and maintains information security\n\n\n\n\nPage 9                                                                 Details of Finding\n\x0c                      policies, procedures, and control techniques." In addition, the CIO is\n                      also charged with periodically evaluating "\xe2\x80\xa6the effectiveness of the\n                      agency information security program, including testing control\n                      techniques." The CIO is unlikely to be successful in these endeavors\n                      without changes in authority and organizational alignment.\n\n\nRECOMMENDATIONS       To improve Clinger-Cohen implementation efforts and the overall\n                      management of the information technology program, we recommend\n                      that the Department:\n\n                         1. Satisfy Clinger-Cohen requirements by positioning the CIO in\n                            such a manner to ensure that the position has primary\n                            responsibility for information management, is a full participant\n                            of the Department\'s executive management team, and reports to\n                            the agency head;\n\n                         2. Provide the Office of the CIO with authority to conduct\n                            oversight and monitoring activities sufficient to ensure\n                            implementation of Clinger-Cohen Act policy initiatives;\n\n                         3. Develop an information technology baseline that includes an\n                            inventory of applications and major systems in use or under\n                            development within the Department; and,\n\n                         4. Evaluate existing performance measures and goals associated\n                            with Clinger-Cohen Act implementation. Prepare specific,\n                            focused performance measures, with targets for completion, as\n                            required by the GPRA of 1993.\n\n\nMANAGEMENT REACTION   Our report contains recommendations designed to improve Clinger-\n                      Cohen Act implementations at the Department. While Management\n                      concurred with recommendations 3 & 4 and proposed certain corrective\n                      actions, it did not concur with our primary recommendations 1 & 2 to\n                      realign the Office of the CIO and provide the office with oversight\n                      authority. Specifically, management provided the following comments.\n\n                      Recommendation 1: Management did not agree because it believes that\n                      the current organizational placement and reporting relationship of the\n                      Office of the CIO does not diminish the Department\'s ability to\n                      successfully implement objectives of the Clinger-Cohen Act. Under the\n\n\n\n\nPage 10                                                                Recommendations/\n                                                                     Management Reaction\n\x0c                   current organizational alignment, the CIO has the ability to influence\n                   information technology related decisions through direct access to the\n                   Deputy Secretary/Secretary and by service as the Executive Secretary\n                   to the Executive Committee for Information Management.\n                   Management believes that instead of realigning the CIO, it is more\n                   important to maintain the synergy that resulted from the close linkage\n                   of cyber and physical security functions and focus efforts on the\n                   systemic problems and barriers to managing its significant IT\n                   investment. Several actions, such as the appointment of CIO\'s at the\n                   program level and the formation of a CIO Executive Council, should\n                   improve Department-wide implementation of the Clinger-Cohen Act.\n                   Management also indicated that it planned to better communicate the\n                   CIO\'s organizational relationship with executive management during\n                   the formal response process.\n\n                   Recommendation 2: Management did not agree and indicated that the\n                   CIO currently possessed adequate authority to ensure Clinger-Cohen\n                   implementation. In addition, management contended that programs and\n                   initiatives conducted by the Executive Council for Information\n                   Management, the CIO Executive Council, and collaborative efforts\n                   between the CIO, Program-level CIOs, and the Office of Independent\n                   Oversight provided an effective means by which the CIO monitored\n                   Departmental IT investments and programs.\n\n                   Recommendations 3 & 4: Management agreed with the\n                   recommendations and proposed corrective actions.\n\n                   Management comments, in their entirety, are included in Appendix II.\n\n\nAUDITOR COMMENTS   As noted in our report, we are concerned that the Department\'s past and\n                   proposed actions may be insufficient to achieve Clinger-Cohen\n                   objectives. The reporting relationship that management depends on in\n                   its response is the same or similar to models in place during the periods\n                   covered by our reports. While we agree that the Department\'s overall\n                   cyber security posture has improved, we do not understand how\n                   realignment of the CIO would jeopardize security. In fact, in light of\n                   the increased emphasis on cyber security and the significant\n                   responsibilities assigned to the CIO by the GISRA, a formal direct\n                   reporting relationship to the Secretary or Deputy Secretary should serve\n                   to strengthen security by elevating the stature of the CIO and making\n                   him a partner with the official responsible for physical security.\n\n\n\nPage 11                                                               Recommendations/\n                                                                      Auditor Comments\n\x0c          While we applaud Departmental initiatives to better manage and control\n          IT investments, we continue to believe that the CIO should be a full\n          member of the Department\'s executive management team. Should the\n          Department elect to continue the present reporting relationship, we\n          believe that several actions should be taken to increase the effectiveness\n          of the CIO function. We suggest that, at a minimum, the arrangement\n          to provide direct access to the Deputy Secretary/Secretary be\n          formalized. As mentioned in management\'s response, we also believe\n          that immediate action should be taken to officially document and\n          communicate the CIO\'s authorities and responsibilities with respect to\n          Clinger-Cohen related issues. Such communication should reinforce\n          the direct access relationship and clearly indicate that the CIO bears\n          primary responsibility for Clinger-Cohen Act policy and oversight.\n\n          As our report points out, fundamental shortcomings in monitoring and\n          controlling IT investments, cyber security, and the implementation of a\n          Department-wide IT architecture continue to exist. In many instances,\n          a contributing factor was either a lack of proactive monitoring or\n          compliance with existing IT related policy. While we recognize that\n          the Office of Independent Oversight and Performance Assessment\n          provides the CIO with an important and useful enforcement mechanism\n          in the cyber security area, a similar arrangement is not available in the\n          IT investment area. Except for certain corporate-level systems\n          development efforts, the CIO has not historically been involved in\n          actively monitoring development efforts.\n\n          We concur with management\'s proposal to strengthen the IT\n          management function by fully defining and formalizing the CIO\'s\n          responsibility and authority. To answer concerns in this particular area,\n          we believe that the pending order should formalize initial and periodic\n          program-level systems development reviews. The revised order should\n          also provide the CIO with the authority to review and concur with\n          reports of such evaluations. Finally, a process for elevating\n          disagreements between the CIO and line organizations should also be\n          formalized. With the addition of these attributes, we would consider\n          the proposed actions to be responsive to our recommendation.\n\n\n\n\nPage 12                                                       Auditor Comments\n\x0cAPPENDIX I\n\nSCOPE         This audit was conducted at Departmental Headquarters between\n              September 2000 and March 2001. We reviewed IT related OIG audit\n              reports issued between the inception of the Clinger-Cohen Act in Fiscal\n              Year 1996 and February 28, 2001. In addition, we evaluated proposed\n              and ongoing Office of the CIO initiatives that have a direct bearing on\n              the implementation of Clinger-Cohen.\n\n\nMETHODOLOGY   To satisfy the audit objective, we:\n\n                 \xe2\x80\xa2   Reviewed the Clinger-Cohen Act of 1996 and the Investigative\n                     Report of Senator Fred Thompson on Federal Agency\n                     Compliance with the Clinger-Cohen Act to discern the major\n                     expectations;\n\n                 \xe2\x80\xa2   Reviewed 13 IT related OIG audit reports evaluating audit\n                     findings in terms of their relationship to Clinger-Cohen\n                     implementation;\n\n                 \xe2\x80\xa2   Reviewed the Department\'s official response to Senator Fred\n                     Thompson\'s inquiry as to Departmental Clinger-Cohen\n                     implementation and supporting documentation; and,\n\n                 \xe2\x80\xa2   Held discussions with representatives of the Office of the CIO to\n                     obtain details on planned and ongoing IT initiatives that had a\n                     direct bearing on Clinger-Cohen implementation.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the audit objectives. Because our review\n              was limited, it would not necessarily have disclosed all internal control\n              deficiencies that may have existed. Also, we did not rely on computer-\n              processed data to accomplish our audit objective. An exit conference\n              was held with the Office of Security Affairs and Emergency Operations\n              and the Office of the CIO on May 2, 2001.\n\n\n\n\nPage 13                                                     Scope and Methodology\n\x0cAPPENDIX II\n\n\n\n\nPage 14       Management Comments\n\x0cPage 15   Management Comments\n\x0cPage 16   Management Comments\n\x0cPage 17   Management Comments\n\x0c                                                                               IG Report No. :DOE/IG-0507\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'